You don't need hacking skills to be a cyber criminal

Sophisticated, easy-to-use exploit kits turning crime into a comodity

By William Jackson

May 17, 2010

Are you digitally challenged? Don’t know a byte from a bit? Have a limited command of Unix? Don’t worry: With a new generation of professionally packaged exploit kits, you, too, can become a successful cyber criminal.

New attack kits, which package proven exploits for vulnerabilities in popular software for easy installation and management, are bringing cyber crime to a new generation of criminals who have only limited technical skills, according to a new report from M86 Security.

The existence of exploit kits, which date back to at least 2006, is no secret. But they are becoming increasingly user-friendly, lowering the bar for entry to the cyber underground and creating a new source of revenue for the coders and hackers who devise them. One such kit, the Eleonore Exploit Pack, apparently was used in recent attacks on three Treasury Department sites.

“Cyber criminals find it easier, faster and more cost-effective to make money by buying exploits rather than taking the time to create exploits themselves,” states the report, titled “Web Exploits: There’s an App for That.”

“Savvy, knowledgeable individuals with skills in developing Web applications and basic knowledge in hacking have filled a niche by creating exploit kits,” it states.

The report provides a detailed look at how the kits are packaged and marketed and how they operate. Prices for the packages start at about $100, but most sell for $400 to $1,000. Interfaces for the packages often are in Russian, and although their English skills often are limited, they show a firm grasp of Western marketing.

“We are here to introduce to [sic] the newest exploit system on the market and a whole new concept for the people. ‘Highest rates for the lowest price’,” reads the promotional material for the popular Crimepack toolkit. “All exploits used are modded to perfection to get the highest rates out of it possible. And instead of throwing together as many exploits as possible (like other packs out there) we decided to handpick a few with higher effectiveness.”

The license even includes two new domain builds if the first domain the buyer uses for the kit is blacklisted.

Browser vulnerabilities usually are the most common targets for the kits. But M86 reported that exploits for vulnerabilities in Adobe Flash, Java and PDF are on the rise. The kits are designed for easy installation on a Web server and are linked to a database for logging and reporting.

Reporting can be critical because the kits can be used to distribute pay-per-install code, for which the kit owner is paid to install third-party malware on compromised computers. Rates range from a modest $50 per 1,000 installs on European and Australian computers to a healthy $170 per 1,000 U.S. computers.

The criminals can drive victim traffic to the exploit Web page with techniques such as spam that contains malicious links or by setting up a bogus Web site and using search engine optimization to popularize it. But the most common technique is to inject malicious iFrames into legitimate sites and redirect traffic to the exploit page. Some entrepreneurs will even sell redirected Web traffic at a reasonable rate.

But don’t get any ideas about reselling these exploit kits. These guys might be criminals, but they don’t tolerate piracy. “You are not allowed to resell/share, if we catch you doing this your license will be revoked,” the purveyors of Crimepack warn.